// Risk Assessment Philosophy

Risk Is a Business Problem.
I Treat It Like One.

Before a single control is deployed, I start by understanding what the business can't afford to lose — then work backward from there.
🏢
Step 01
What Keeps This Business Running?
Security exists to protect operations — not to satisfy a checklist. I start every engagement by mapping the business outcomes that cannot be interrupted.
Revenue continuity Customer trust Acceptable downtime Regulatory standing
With 35+ client environments managed simultaneously, this question has a different answer for every organization. A manufacturing floor has different tolerance than a legal firm. Security design must reflect that.
Tools here › ConnectWise Client Documentation Environment Baselining
Then ask: what's the cost of doing nothing?
⚖️
Step 02
Cost of Controls vs. Cost of Failure
Every control has a price. Every breach has a larger one. This is where I build the business case — not with fear, but with numbers.
A single ransomware event at an SMB client can mean days of downtime, data loss, regulatory fines, and reputational damage that far exceeds the annual cost of the controls that would have prevented it. I've seen it. The math isn't close.
Predictable implementation costs beat unpredictable breach costs every time. That's the argument I make to business owners — and I can back it with evidence.
Tools here › OpenVAS Patch Compliance Reports Datto Health Dashboards
Now map the threat surface
👥
Step 03
Who Has Access — and Who Shouldn't
Every identity with access is a potential entry point. I map all internal and external parties before recommending a single control.
Internal
  • Employees & end users
  • Admins & privileged accounts
  • Service accounts
  • IT team & vendors with access
External
  • Third-party vendors
  • Managed service providers
  • Regulators & auditors
  • Threat actors (assumed present)
Zero Trust principle: access is never assumed safe — it's verified. Every layer, every time.
Tools here › Active Directory Group Policy (GPO) Azure AD PAM MFA
Identify what must be protected
🗄️
Step 04
What Are the Critical Assets?
Not everything carries the same risk weight. I work with clients to identify the assets that — if lost, encrypted, or exfiltrated — would cause the most damage.
Customer & patient data Financial records ERP / revenue systems AD & identity infrastructure Backup systems Production environments
Across 52 servers and 35 clients, I've built inventories of critical asset dependencies — so when a failure occurs, response is already scoped.
Tools here › LANSurveyor Zabbix Synology NAS Datto ConnectWise
Review evidence before assuming
🔍
Step 05
What Does the Evidence Actually Show?
Risk assessment without evidence is guesswork. I anchor every analysis in audit findings, monitoring data, and historical incident patterns — not assumptions.
Sources I use: SIEM event logs, SentinelOne alert history, Zabbix performance data, vulnerability scan results (OpenVAS), patch compliance reports, and client audit findings.
Defensible timelines built from correlated evidence aren't just useful for response — they're the proof that validates where the real risks live before a control dollar is spent.
Tools here › Graylog SentinelOne OpenVAS Zabbix Windows Event Logs
Understand the threat landscape
⚠️
Step 06
What Are the Realistic Threats?
I don't build threat models around theoretical nation-state actors for SMB clients. I focus on the threats that are actively targeting the environments I protect.
Phishing & BEC Ransomware (T1490) Credential theft Insider misuse Supply chain risk Unpatched vulnerabilities
Each threat is mapped to MITRE ATT&CK techniques where applicable — giving both a shared language and a specific detection focus for the controls that follow.
Tools here › MITRE ATT&CK SentinelOne Proofpoint KnowBe4 Huntress
Quantify and prioritize
📐
Step 07
Score the Risk. Prioritize the Response.
Risk isn't binary — it's a product of how likely something is to occur and how much damage it causes if it does.
Risk = Likelihood × Impact
Evaluate: financial loss · operational downtime · regulatory exposure · reputational damage
This score drives prioritization — not vendor recommendations, not compliance checkbox order. High-likelihood, high-impact risks get controlled first, regardless of how uncomfortable that conversation is.
Tools here › OpenVAS Graylog NIST 800-171 CMMC Controls
Map controls to risks — not the other way around
🔒
Step 08
Apply Controls That Match the Risk
Controls are selected because they address a specific, identified risk — not because they were in a vendor bundle. Each one maps back to Step 1: what keeps this business running.
MFA on all identity entry points
Privileged access management (PAM)
EDR with behavioral detection tuning
Validated, tested backup + DR
DNS-layer filtering (Cisco Umbrella)
Patch compliance >90% at scale
SIEM correlation + alert tuning
Security awareness training (KnowBe4)
Tools here › SentinelOne Cisco Umbrella Proofpoint Datto / Axcient Graylog KnowBe4 Azure MFA WSUS
Security is a business decision. I make it easier to make.
Every step in this process is something I've executed across real client environments — not theory. The goal has never been to deploy tools. The goal is to reduce the probability and impact of the things that would actually hurt the business.